Data Governance starts with planning; • Metadata Management• Master Data Management• Data Quality Management• Data Privacy & Security

Enterprise Data Governance for Financial Institutions

What is Data Governance?

Ref. http://searchdatamanagement.techtarget.com/definition/data-governance

Is what FIs tracks in spreadsheets today.

Uses MDM technology to enhance FI data quality and provide metrics on data governance programs.

Defines FI standards for data and who will be accountable.

Assigns a security classification type to all structured and unstructured data within the Financial Institution (FI).

Benefits of Data Governance• Adopting a Data Governance strategy can help Financial

Institutions protect sensitive information from attack or misuse and also helps the organization use its data more effectively.

• Good Data Governance practices and data security classification help to protect against and limit the risks of a data breach, data leakage or human misuse of data.

• By having a Data Governance program, organizations can establish data storage lives and destroy old data to reduce data storage and maintenance costs. Providing a small boost in ROI of Data Warehousing & Business Intelligence Programs.

Basic

Immature policies and procedures

Lack of training and awareness

Limited technology

Standardized

Established policiesand procedures

Formal training and awareness

Minimal technology

Rationalized

Process andprocedureImprovement

Formal training andcompliance metrics

Reduced reliance on manual controls

Dynamic

Process transformation and more integrated compliance efforts

Formal training andcompliance metrics

Fully automated and integrated controlsmanaged by IT

Data Governance Maturity Model

Resource & TechnologyInvestments

Time

Data Governance Strategic Objectives• Produces information that is easily accessible, standardized,

and sourced from a single place.• Produces information that can be used to make and support

operational and strategic business decisions.• Ensures data is captured, mapped, stored, managed,

retained and archived in accordance to FFIEC compliance regulations.

INFORMATION DELIVERYInformation Management of Enterprise Reporting Content

• Assists in dismantling business systems that are designed or built with architectural dependencies on other applications.

• Consolidation of business application and reporting systems.

SIMPLIFY SYSTEMSDeprecation of Ad-hoc Legacy

Business Systems

• Supports the deployment of new applications by standardizing key business terms to enable data conversion and configuration of application integration points.

ENABLING CAPABILITYEnabling the Deployment of New

Business Applications

• Provide quality support services that add value to FI reporting data stakeholders and business users.

• Maintains safety and soundness of all the data used and shared by the Financial Institution.

ONGOING OPERATIONSMaintaining business functions that maximize daily operations

Metadata ManagementSpecifies the basic components of data into information that can be re-used to improve business operations and processes, including:

• Design & control of Data Dictionary• Identifying Data Stewards & Data Owners• Retrieval of data from databases• Design of information processing systems• Design of EDI-messages• Maintenance of items in a metadata repository

Metadata Repository (MDR)

• A Metadata Repository is designed to capture the “basic components” or the semantics of data, independent of any application or subject matter area.

• MDR’s can reduce the time and costs of defining and approving the semantics of data by re-using basic components that have already been approved by our data stewards.

MDR Registration Model

2

6

3

41

5

7

1) Project submits a term to MDR for registration

2) Project team notifies Registrar submitted item is ready for certification

3) The submitted item is routed to Data Stewards

4) Data Stewards work with the project teams to define terms and definitions

5) Term is pending approval6) Term is approved by the

EDM voting members7) Term is certified for use in

the MDR registry and updated in the FCBT WIKI.

A Registration Process Model can be viewed here.

MDR Registration Process

Classification of Metadata AttributesAttribute Definition Occurrence Required Metadata

Term Name The MDM approved term name. One per data element Yes

Business Definition The MDM approved definition One per data element Yes

Valid Values Examples of data element, amount, date, selection list or other

If applicable Yes, If applicable

Standardized Formula

Calculation used to derive a data element metric or amount

One per data element Yes, If applicable

Source Reference The system the data element originates from Can be multiple systems of origin Yes, used to determine ownership

Data Owner The decision contact for data quality and data privacy Could be more than one per data element

Yes

Data Steward Definition contact. Appointee of the business owner. Could be more than one per data element

Yes

Submission Contact

Appointee of the project team One per data element Yes

Creation Date Date a data element was submitted One per data element Yes

Last Change Date Shows when a data element was last updated One per data element Yes

The complete Metadata Classification Schema can be viewed here.

Master Data ManagementBrings together the:• Business Rules for Data Quality

• Procedures for Metadata Management

• IT Roles & Responsibilities

• Progress Tracking & Reporting

• Data Privacy Classifications for all the

data within the organization

• Auditable Time Stamps & User IDs

Benefits of MDM

Master Data Management (MDM) is a methodology for researching and implementing controls and business rules around your data.

The many benefits to implementing Master Data Management include;

- Preventing critical errors in data quality- Preventing data loss, breach and negligence - Improve efficiency and availability of information

needed for business decision making

Challenges of Implementing MDM

• Lack of centralization• Data misunderstandings• Lack of defined metadata attributes• Poor data quality rules and guidelines• Other priorities• Lack of training and awareness• No clear definition of success

Master Data Management Maturity

No MDM

Metadata Schema and Mgmt. Plan

Stewardship and Project

Team Mgmt. Model

Centralized Hub

Processing of all

application database

data

Business Rules for

Data Quality & Policy Support

Data Privacy & Security

Processing Maturity

Time

INVEST

MDM Capabilities and Enablers

Key Business Capabilities

• Well defined, documented, and enforced policies and processes for governing master data and data quality

• Cross-functional teams of business stakeholders

• Well documented, regularly reviewed and updated operational procedures

Key Technology Enablers

• Established metadata schema and metadata repository

• Data or information consistency, migration, quality, and transformation tools (ETL)

• IT enabled access controls, process management, and security solutions

Solutions for MDM Life CycleStrategy

• MDM Roadmap

• Program Development

• Readiness Assessment

• Data Quality / Stewardship Programs

Planning

• Project Planning

• Tool Assessment

• Architecture Design

• Success Metrics & Reporting

Implementation

• Requirements Workshops

• MDM Design• MDM Process• Stewardship

Process• Data Quality

Support

• Policies & Procedures

• SLA Management

• MDM Training• Change

Management

MDM Maturity Accelerators

• MDM Methodology• Project Plans

• Architecture Frameworks• Best Practice Techniques

• Training Curriculum• New Technology Tools

Data Quality Management

Data Quality Management is the process of establishing roles & responsibilities and the business rules that govern data by bringing the Business and IT to work together.

Their task is two-fold:- to address the problems that already exist and to prevent the potential ones from occurring.

Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/

Data Quality and Data Governance: The Basics

• Business Rules– Enterprise Architecture– Naming and Identification Principles– Formulation of Data Definitions– Data Definition Process

• (see Data Registration Model)

• Roles & Responsibilities– Business & IT Subject Matter Experts (SMEs)

Business RulesNaming and Identification Principles

Each administered item shall have a unique data identifier within the metadata register. (ex: ID_KEY)

A naming convention shall cover all the following aspects;

a) the scope of the naming convention, e.g. established industry name

b) the authority that establishes namesc) semantic rules governing the source and content of terms

used in a named) syntactic rules covering required term order

Business RulesFormulation of Data Definitions

A data definition should:a) be stated in the singularb) state the concept as a descriptive phrase or sentence(s)c) contain only commonly understood abbreviationsd) be expressed without embedding rationale, functional

usage, or procedural informatione) use the same terminology and consistent logical

structure for related definitions

Roles & ResponsibilitiesData Governance Council – comprises of an Information Management Head and Data Stewards from various units.

Information Management Head – is the one who is accountable to the Governance Council on all aspects of data quality. This role would typically be fulfilled by the CIO.

Data Stewards - are the unit heads who lay down the rules & policies to be adhered to by rest of the team. This role would usually be fulfilled by a Program Manager.

Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/

Data Custodians – are responsible for the safe storage & maintenance of data within the technical environment. DBA’s would normally be the data custodians in a firm.

Business Analysts – are the ones who convey the data quality requirements to the data analysts.

Data Analysts – are those who would reflect the requirements into the model before handing it over to the development team.

Internal Audit – reviews procedures to determine how well we did.

Data Privacy & Security Management

Financial institutions should control and protect access to paper, film and computer-based media to avoid loss or damage. Institutions should;• Establish and ensure compliance with policies for

handling and storing information,• Ensure safe and secure disposal of sensitive

media, and• Secure information in transit or transmission to

third parties.

http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/data-security.aspx

FFIEC Action Summary

Data Privacy and Security Threats

Data Privacy & Security Challenges

• Information Security– Organizations need to worry about evolving criminal enterprises, but

they also need to worry about small storage media devices that can easily be lost or stolen.

– The financial and reputational costs that data breaches can have on an organization is significant.

• Information Privacy– The sensitive information involved in data breaches, and the potential

for an increase in identity theft cases has consumers thinking twice about their personal information being held by organizations.

• A Complex Regulatory Landscape – Stop security threats and protect consumers’ personal information – Spread awareness of best practices and promote self-regulation

Ref.http://tfs.sharepoint.nterprise.net/sites/Enterprise%20Data%20Mgmt/Project%20Management/EDM%20Presentations/Data%20Governance%20Research%20Files/Guide_to_Data_Governance_Part4_A_Capability_Maturity_Model_whitepaper.pdf

Data Governance Privacy & Compliance Framework

People• Committed and engaged executive leadership• Trained, aware and accountable employees

Process• Structured, repeatable, and adaptable process• Data Classification & Data Stewardship

Technology• Secure infrastructure that protects information• Auditing and Reporting of access controls

Data Governance, Risk Management, and Policy Compliance

• Governance ensures that the business focuses on core activities, clarifies who has the authority to make decisions, and addresses how performance will be evaluated.

• Risk Management is a systematic process for identifying, analyzing, evaluating, remedying, and monitoring risk.

• Compliance refers to actions that ensure behavior that complies with established rules as well as the provision of tools to verify that compliance.

Data Governance Policies

• Data Stewardship (authority) Policy

• Data Classification Policy– Public Information– Internal Use Only– Restricted Data– Confidential Data

Data Privacy Risk Management Process

Establish goals

Identify (model) threats

Analyze risks

Determine treatment

Evaluate compliance

Diagramming

Threat Enumeration

1

Data loss/leak prevention solutions are designed to detect potential data breach incidents in a timely manner and prevent them by monitoring data while in-use, in-motion and at-rest.

A data leakage incident is when, sensitive data is disclosed to unauthorized personnel by malicious intent or human mistake.

DLP (Data Loss Prevention) Software

INTERNET

DLP Suite

DLP Technology Domains

• Safeguard against malware and intrusions• Protect systems from evolving threats

Secure Information

• Protect sensitive data from unauthorized access or use• Provide management controls for identity, access , and provisioning

Identity and Access Control

• Protect sensitive data in structured databases• Protect sensitive data in unstructured documents, messages, and records• Automate data classification• Protect data in motion

Information Protection

• Monitor to verify integrity of systems and data• Monitor to verify compliance with policies

Auditing and Reporting

Click logos to view References